Re: ActiveX security hole reported.

• To: "'www-security'" <www-security@ns2.rutgers.edu>
• Subject: Re: ActiveX security hole reported.
• From: Fisher Mark <FisherM@is3.indy.tce.com>
• Date: Thu, 22 Aug 96 08:50:00 PDT

David M. Chess writes in <199608211615.MAA22290@mailhub1.watson.ibm.com>:
>(Of course, there are still issues about whether or not
>you'd want to allow an incoming executable to run, even
>if it *is* signed by a Major Software House, but my guess
>is this will be no more of an issue than it is with current
>shrink-wrapped software.)
>
>There are other scenarios, of course, that assume that you
>can safely accept incoming executables from strangers and
>run them in a tight-enough padded cell, and/or that there'll
>be some easy and feasible method to come to trust authors
>that are not necessarily in the Fortune 50...

ActiveX's security model may be OK for Intranet applets, but is totally 
unacceptable for Internet applets.  Even though they are very small in 
absolute numbers, there are way too many people with diabolical and/or 
prankish impulses with too much time on their hands who will be all too 
willing to write ActiveX applets and/or hack major sites to substitute their 
ActiveX applet for the major corporation's applet (cf. the current DOJ 
thread -- there's a lot of hate out there for Microsoft...).  The Java 
sandbox approach, where capabilities are strictly limited, is the correct 
(IMNSHO) approach.  Now whether the _Java_ sandbox security model is correct 
is a subject for further study by myself (and perhaps another rant, another 
day).
======================================================================
Mark Leighton Fisher                   Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN

• Previous: Re: who visited my page?
• Next: A problem with Navigator's cache
• Index(es):
  • Index
  • Thread